Oppenheimer & Co. CISO: Cloud Adds New Contour to Gateway Monitoring, Botnet Detection
Henry Jiang explained the choice of Zscaler at OpRisk North America.
Henry Jiang, the Oppenheimer's chief information security officer, could see the writing on the wall. Seventy percent of Oppenheimer's network traffic is now internet-based, he told a gathering at this week's OpRisk North America conference, and dealing with the bandwidth and infrastructure required to handle that load internally across 28 offices is, in a word, expensive.
Moving to the cloud was the answer, but it created a different problem.
"It was interesting to us how little of our network has anything to do with our own corporate assets or order management system," he said. "So doing this made a lot of sense on a business level; we migrated to cloud in three months and the cost savings — I had to check my math was right twice on this — were 85 to 90 percent, but security was the thing we had to resolve."
Oppenheimer, with about $20 billion under management, was already using Palo Alto Networks as part of its threat detection regime, but began speaking to Jay Chaudhry at startup firm Zscaler to refine its monitoring capabilities. The problem was a quantitative and qualitative one, he says.
"We have a few thousand end-points, but we collect about 25 million events per day across all our cyber platforms, so no single security analytics solution can handle all that, so it's down to what data do you trust?" he says. "Palo Alto generates 13,000 events to check on; with Zscaler, we were able to trim that down to 20 events across 500 users, that we can then correlate back with the other intelligence. For example, Zscaler recently flagged up a malware case that we traced back to 6,000 logs in Palo Alto. And as we've built this out, we found much of it can be automated: once you have a scoring system you can trust, you can use an application like Splunk to create a dynamic rule to block a suspicious internet protocol (IP)."
'Move With It'
Chaudhry's firm, founded in 2008 and serving the likes of Nestle, United Airlines, and the UK's National Health Service, was recently given a 10-figure valuation. It's indicative of how problematic the move to cloud, and to mobile, has been for security at firms of all stripes.
"Your employees are always your weakest link. Eight to 10 percent of machines have botnets infecting them at any given time," he explained. "They sit there quietly and undetected, and today can come in through means as diverse as Javascript or Facebook Lite, and take advantage of the Internet of Things, like connections to appliances like printers or copiers that are there to help the provider know when to bring you replacement toner cartridges, with good intentions but no security built in."
That's just one reason major firms, in finance and elsewhere, are trying to get a better handle on their networks, with more subtle information, as they ride the wave of datacenter consolidation that cloud-based infrastructure has produced.
"You protect at a gateway level, and you can track whether policies around patching, for instance, are being enforced with cloud," Chaudhry told the audience.
"In my experience, it comes down to 'don't trust anything' with this — zero-trust networking is the key. The notion of 'on-off' networks today is silly, and firms are moving to network segmentation as a result, because once you're compromised somewhere, you should assume you're compromised everywhere now. It's a problem because cloud and mobile are also helping users bypass security protocols. Security now must move with it."
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
After acquisitions, Exegy looks to consolidated offering for further gains
With Vela Trading Systems and Enyx now settled under one roof, the vendor’s strategy is to be a provider across the full trade lifecycle and flex its muscles in the world of FPGAs.
Enough with the ‘Bloomberg Killers’ already
Waters Wrap: Anthony interviews LSEG’s Dean Berry about the Workspace platform, and provides his own thoughts on how that platform and the Terminal have been portrayed over the last few months.
BofA deploys equities tech stack for e-FX
The bank is trying to get ahead of the pack with its new algo and e-FX offerings.
Pre- and post-trade TCA—why does it matter?
How CP+ powers TCA to deliver real-time insights and improve trade performance in complex markets.
Driving effective transaction cost analysis
How institutional investors can optimize their execution strategies through TCA, and the key role accurate benchmarks play in driving more effective TCA.
As NYSE moves toward overnight trading, can one ATS keep its lead?
An innovative approach to market data has helped Blue Ocean ATS become a back-end success story. But now it must contend with industry giants angling to take a piece of its pie.
BlackRock, BNY see T+1 success in industry collaboration, old frameworks
Industry testing and lessons from the last settlement change from T+3 to T+2 were some of the components that made the May transition run smoothly.
Banks seemingly build more than buy, but why?
Waters Wrap: A new report states that banks are increasingly enticed by the idea of building systems in-house, versus being locked into a long-term vendor contract. Anthony explores the reason for this shift.